"The incident exposed 185k unique email addresses, along with names, physical addresses, dates of birth and phone numbers. A small number of records also contained additional exposed data fields," Have I Been Pwned said.
What 7‑Eleven disclosed about the April intrusion
7‑Eleven told customers in data breach notification letters dated May 1 that attackers gained access to "certain 7‑Eleven systems used to store franchisee documents." The company said the unauthorized access occurred on April 8, 2026. Beyond that timeline and the statement limiting the intrusion to systems holding franchisee documents, 7‑Eleven has not attributed the attack to a named group or provided additional technical details.
ShinyHunters claimed the break‑in and published a 9.4GB archive
On April 17 the extortion gang ShinyHunters publicly claimed responsibility, saying it had stolen more than 600,000 records after breaching 7‑Eleven's Salesforce environment. According to ShinyHunters' post, the group leaked a 9.4GB archive of documents on its dark web leak site after the company refused to pay a ransom to have the stolen data "returned and destroyed."
A 7‑Eleven spokesperson did not reply when BleepingComputer reached out to confirm ShinyHunters' claims or to provide a company figure for affected individuals.
Have I Been Pwned's analysis: roughly 185,300 unique people exposed
Have I Been Pwned analyzed the data published by ShinyHunters and reported that the breach exposed the data of 185,300 people. Its analysis identified unique email addresses and the accompanying personal data fields returned in the leaked set: names, dates of birth, phone numbers, and physical addresses. The service noted a "small number of records" contained additional exposed fields.
ShinyHunters' pattern: Salesforce targeting and other high‑profile claims
The group has focused on Salesforce customers over the past year, claiming to have breached hundreds of companies and to have stolen "billions of records" across campaigns described as the Salesforce Aura data theft attacks and the Salesloft Drift campaign. Other breaches recently claimed by ShinyHunters include the European Commission, Cisco and Google, according to the reporting.
What this means for franchisees, loyalty program members, and enterprise security teams
- Franchisees: 7‑Eleven says the affected systems were those "used to store franchisee documents," making franchise operators and the records they submit the logical focus for follow‑up and remediation.
- Loyalty program members: 7‑Eleven operates two loyalty programs with more than 100 million members combined; the company has not detailed whether loyalty program data were part of the exposed set, even as Have I Been Pwned's analysis shows extensive personal contact information among the leaked records.
- Enterprise security and procurement leaders: the claim that the company's Salesforce environment was breached reinforces ShinyHunters' recent pattern of targeting cloud CRM and customer‑data repositories, a trend the group has emphasized in its public posts.
A reminder from 2022 and outstanding questions
7‑Eleven's brands and operations span large scale: the company operates, franchises and licenses more than 86,000 stores worldwide, including about 13,000 in the U.S. and Canada, and it also operates and franchises Speedway, Stripes, Laredo Taco Company and Raise the Roost Chicken and Biscuits locations. The chain previously disclosed a ransomware incident in August 2022 affecting 7‑Eleven Denmark, when attackers encrypted some systems and forced the chain to shut down 175 stores.
For the April 2026 intrusion, critical facts remain unconfirmed by the company: whether the leaked archive represents the full scope of the theft, whether other internal systems were affected, and what specific measures 7‑Eleven has taken to contain and remediate the incident beyond customer notification letters sent May 1. Have I Been Pwned's analysis places the exposed set at roughly 185,300 people, but the company has not publicly verified that figure.
Original reporting: BleepingComputer — 7‑Eleven data breach exposes personal information of 185,000 people




